Cryto! 6 December 2013

00:13:38 pzuraq (pzuraq@cryto-D7CF12F7.hsd1.ca.comcast.net) has joined #crytocc
00:16:08 Cryto932 (Cryto932@F4EF52AC.545FD2A4.9C4EE3DF.IP) has joined #crytocc
00:16:17 Cryto932 has quit (User quit:  Page closed)
00:52:52 mama has quit (Ping timeout)
01:02:30 <botpie91> 04musalbas made 2 commit(s) to 03btcalltimehigh on branch 10master: '02Finish up PricePoller, rename / page', '02Merge branch 'master' of https://github.com/musalbas/btcalltimehigh' (https://github.com/musalbas/btcalltimehigh/compare/63ff9a107c...3c38cf7972)
01:08:33 <botpie91> 04musalbas made 0 commit(s) to 03btcalltimehigh on branch 10master:  (https://github.com/musalbas/btcalltimehigh/compare/3c38cf7972...a91cfedc85)
01:12:35 <botpie91> 04musalbas made 0 commit(s) to 03btcalltimehigh on branch 10master:  (https://github.com/musalbas/btcalltimehigh/compare/a91cfedc85...c0d303b997)
01:17:07 <botpie91> 04musalbas made 1 commit(s) to 03btcalltimehigh on branch 10master: '02Finish up PricePoller' (https://github.com/musalbas/btcalltimehigh/compare/c0d303b997...b3578fb5c7)
01:28:36 x has quit (Input/output error)
02:39:50 lblissett has quit (Ping timeout)
02:59:16 lblissett (lblissett@cryto-1EEC6C73.host.de.colt.net) has joined #crytocc
03:36:04 Charles (Charles@Charles.users.cryto) has joined #crytocc
03:36:21 <Charles> .bitcoin
03:36:21 <botpie91> 1 BTC = $990.10, 1 BTC = €789.76
03:46:31 Charles has quit (Client exited)
03:49:39 <dorotea> dat wobble
03:51:53 <dorotea> I was never really into rock and roll
03:51:58 <dorotea> I never liked britpop at all
03:52:05 <dorotea> fuck punk rock, metal, and salsa
03:52:13 <dorotea> Don't even talk to me about jazz
03:52:25 <dorotea> You know, all I really want is a beat and a bassline
04:05:04 fanat1ck (fanat1ck@cryto-ACCD2356.us-west-1.compute.amazonaws.com) has joined #crytocc
04:06:25 fanat1ck has quit (User quit:  Connection closed)
04:53:35 Charles (Charles@Charles.users.cryto) has joined #crytocc
04:53:57 <Charles> coincoin new currency!:D
05:05:40 Charles has quit (Client exited)
06:33:30 pzuraq has quit (Input/output error)
06:34:20 pzuraq (pzuraq@cryto-D7CF12F7.hsd1.ca.comcast.net) has joined #crytocc
06:59:26 multihate (root@multihate.users.cryto) has joined #crytocc
08:27:42 pzuraq has quit (Input/output error)
08:33:47 joepie91 (joepie91@cryto-3E6002EF.direct-adsl.nl) has joined #crytocc
09:14:55 x (foobar@C35CA8A8.589C91BA.8F6A2B14.IP) has joined #crytocc
10:17:02 mama (me@cryto-9904015.dfri.se) has joined #crytocc
10:38:40 daemon has quit (Ping timeout)
10:45:00 tintin has quit (Ping timeout)
10:45:31 <twitchyliquid64> lysobit: hey
10:46:14 <twitchyliquid64> joepie was just saying that you are the ideas kina guy xD
10:47:39 <twitchyliquid64> does anyone have any ideas for something to code thats security related (no, no hacks/exploits, I only do legal things)
10:47:45 <joepie91> lysobit: well, actually I said that you might have some ideas for twitchyliquid64 to work on :P
11:05:03 tmbucky (tmbucky@cryto-DFFB302.us-west-1.compute.amazonaws.com) has joined #crytocc
11:06:24 tmbucky has quit (User quit:  Connection closed)
11:13:02 <joepie91> http://www.sfgate.com/bayarea/article/Corporation-not-person-in-carpool-lanes-4173366.php
11:15:19 <lysobit> What ideas? twitchyliquid64
11:20:46 <twitchyliquid64> lysobit: do you have any ideas for something to code?
11:21:02 <twitchyliquid64> security related, cool, interesting, and ethical?
11:24:13 <lysobit> not much that I'm not already working on :P but maybe create an anonymized chat system that relays messages through any server of your choice (i.e. whitehouse.gov or google.com) by spoofing ICMP packet headers
11:24:46 <twitchyliquid64> lysobit: what are you working on?
11:24:49 <lysobit> thus the "middle" server will bounce your message to the server specified in the spoofed packets
11:25:18 <lysobit> https://github.com/musalbas/KeypairAuth
11:25:18 <lysobit> A web-based keypair authentication system
11:25:58 <lysobit> http://i.imgur.com/cGKmXuu.png basically authenticating to websites using public/private keys rather than passwords
11:25:59 <twitchyliquid64> lysobit: not too keen on the chat thing; doesnt sound practical or ethical use of a third parties servers
11:26:14 <twitchyliquid64> lysobit: why not TLS certs?
11:26:46 <lysobit> twitchyliquid64: TLS certs are for verifying the website you're connecting to is who it says it is, not for users to authenticate to websites
11:27:03 <twitchyliquid64> lysobit: incorrect, client certs exist, used for authenticating clients
11:27:18 <twitchyliquid64> its common practice for things like govt websites
11:27:36 <lysobit> twitchyliquid64: my system has no CA
11:27:45 <lysobit> twitchyliquid64: decentralized
11:27:55 <lysobit> twitchyliquid64: so the website stores your pubkey in the db
11:27:56 <twitchyliquid64> lysobit: dont need CA's. I hate em too, all my sites are selfsigned
11:28:08 <twitchyliquid64> you can do the same with TLS
11:28:21 <twitchyliquid64> all you need to do is trust yoyrself, not have a CA in the chain
11:28:39 <lysobit> twitchyliquid64: If you don't use CAs with TLS, you can only make your communications private, but not verify that the user is who he says he is
11:29:20 <lysobit> twitchyliquid64: instead of doing "hacks" to use TLS in a way that is not meant to be used, my system is built ground-up for decentralized auth
11:29:44 <twitchyliquid64> lysobit: with Client certs ASWELL, one can additionally authenticate the user. Its eactly identical to private/public keys, except the public keys are sent over the wire in x509 (cert) form
11:29:44 <lysobit> twitchyliquid64: plus the point of this is to actually provide an interface both for users and webmasters to make it easily possible
11:30:05 <lysobit> twitchyliquid64: well, this is basically what this project is
11:30:32 <twitchyliquid64> lysobit: I hear you, usability is very important, but why not take your interface and tap it on to an existing technology that does eactly what you have described?
11:30:40 <twitchyliquid64> ie: TLS
11:31:08 <lysobit> twitchyliquid64: I am using existing "technology": RSA.
11:31:21 <lysobit> twitchyliquid64: which is what TLS can be based on
11:31:30 <lysobit> twitchyliquid64: but without the clutter of TLS
11:31:40 <twitchyliquid64> yes, but TLS is the wire format which is widely compatible
11:32:08 <lysobit> twitchyliquid64: you seem to misunderstand what TLS is actually for
11:32:16 <twitchyliquid64> you are using your own wire format when infact what you are doing can be done entirely without any compatibility issues
11:32:37 <twitchyliquid64> lysobit: TLS has THREE properties. Confidentiallity, Integrity, and Authenticity.
11:32:57 <twitchyliquid64> Authenticity is normally only used one way, but in this case, 2way is enabled.
11:33:03 <twitchyliquid64> All browsers support both modes.
11:34:26 <lysobit> twitchyliquid64: TLS is _not_ built for web-based authentication. I still need to build on top of TLS to incorporate things like session ID assertion.
11:34:37 <lysobit> twitchyliquid64: TLS is not the only suitable format for auth
11:34:45 <lysobit> twitchyliquid64: look at SSH for example, it doesn't use TLS
11:35:11 <twitchyliquid64> lysobit: why not use SSH as your wire format then? same three properties
11:35:35 <lysobit> twitchyliquid64: because that would require the web server to run an SSH server -.-
11:35:38 <lysobit> twitchyliquid64: also
11:35:44 <twitchyliquid64> and TLS is a transport layer protocol; upper-stack level conserns are out of scope and mixing those concerns is considered bad practice
11:35:55 <lysobit> twitchyliquid64: the idea of this is that a webmaster can implement this WITHOUT modifications to their web server
11:36:04 <twitchyliquid64> lysobit: but your web server is already running your custom-protocol server!
11:36:10 <lysobit> twitchyliquid64: nope!
11:36:16 <lysobit> twitchyliquid64: you're assuming so without even asking
11:36:24 <lysobit> twitchyliquid64: the client queries a web application
11:36:36 <lysobit> twitchyliquid64: over standard HTTP/HTTPs, no custom protocol
11:36:49 <lysobit> twitchyliquid64: (i.e. a PHP/Python application)
11:37:08 <lysobit> i.e. auth.php
11:37:39 <lysobit> A webmaster can simply download the PHP/Python/Ruby/whatever library and use it with no server modification
11:37:52 <lysobit> It's all done over HTTP
11:37:59 <lysobit> (or HTTPs)
11:38:20 <lysobit> Does that make sense?
11:38:34 <twitchyliquid64> I can see a minor difference in that keyauth is done in appspace vs. transport layer
11:38:43 <twitchyliquid64> but apart from that
11:38:52 <twitchyliquid64> is there really that much a difference?
11:38:56 <lysobit> I think that's a rather major difference in ease of implementation...
11:39:11 <twitchyliquid64> disagreed, client cert auth is easy and widely done
11:39:21 <twitchyliquid64> especially on govt websites
11:39:28 <twitchyliquid64> and startssl.com
11:39:40 <lysobit> I see no reason at all to force the webmaster to make modifications to the webserver when it can all be done via standard HTTP/HTTPs over a web app
11:39:52 <lysobit> and no custom protocol required
11:39:58 <lysobit> Simply GET and POST requests
11:40:04 <lysobit> hence "web-based"
11:40:34 <twitchyliquid64> wether you put the complexity at the transport layer or the web layer, its still there
11:40:38 <lysobit> using TLS because it "already exists" complicates things, not simplifies them
11:40:55 <twitchyliquid64> disagreed, consider this
11:41:19 <twitchyliquid64> if someone wants automatic login (like browser remembering logins/cookies) they cant really do it
11:41:21 <lysobit> twitchyliquid64; if I use TLS, I will have to make modifications to the server AND devise a web app - more complexity already
11:41:32 <lysobit> twitchyliquid64: yes they can
11:41:47 <twitchyliquid64> on the contrary, the browser remembers the client cert of the website and serves it on login, instantly authenticating the user
11:42:08 <lysobit> twitchyliquid64: that can be implented in the client-side KeypairAuth application (remembering logins)
11:42:15 <lysobit> implemented*
11:42:26 <twitchyliquid64> twitchyliquid64; if I use TLS, I will have to make modifications to the server AND devise a web app - more complexity already
11:42:29 <twitchyliquid64> nope
11:42:32 <lysobit> yup
11:42:50 <twitchyliquid64> client cert details are passed as a param to the webapp - like cookies or REMOTE_ADDR
11:42:53 <twitchyliquid64> no config required
11:43:13 <lysobit> If I use TLS, modification to the browser will also be needed
11:43:27 <lysobit> KeypairAuth is a browser-independent application, not a browser plugin
11:43:28 <twitchyliquid64> all you need to do is setup SSL/TLS, which you have to do anyway otherwise your everything (cept your pw of course) gets snooped
11:44:00 <twitchyliquid64> lysobit: TLS is widely supported
11:44:05 <twitchyliquid64> no modification needed
11:44:33 <lysobit> I see your point
11:45:14 <twitchyliquid64> My point is simply not to reinvent the wheel and create another standard, that is all :)
11:45:48 <lysobit> I will have to "create" another standard regardless if TLS is used or not
11:45:55 <lysobit> the standard will have to be on top of TLS
11:46:04 <lysobit> to implement sessionID signing, etc
11:46:18 <twitchyliquid64> sessionID == cookies + webapp
11:46:19 <lysobit> also
11:46:24 <twitchyliquid64> application level
11:46:44 <lysobit> The caveat with using TLS is that all websites will have to buy a SSL cert, or be forced to use a bad one
11:46:58 <twitchyliquid64> yepp
11:47:09 <lysobit> Which is  a rather major caveat
11:47:16 <twitchyliquid64> agreed
11:47:19 <lysobit> Just ask joepie91, about how much CA sucks
11:47:23 <twitchyliquid64> major cavaet for web security
11:47:28 <twitchyliquid64> but its the only option ATM
11:47:39 <twitchyliquid64> despite how broken the trust model is
11:47:49 <twitchyliquid64> I absolutely agree
11:47:54 <lysobit> or implement the authentication on top of HTTP/HTTPs using web app like I'm already doing and not rely on any CA? :P
11:47:56 <twitchyliquid64> I use selfsigned for that reason
11:48:10 <lysobit> or require a CA*
11:48:16 <twitchyliquid64> we neeed what SSH uses;keypinning
11:48:38 <lysobit> anyway
11:48:44 <lysobit> I need to get back to work
11:48:48 <twitchyliquid64> lolk
11:48:49 <lysobit> feel free to have a look at keypairauth
11:48:57 <twitchyliquid64> I am
11:49:04 <lysobit> (it's not finished yet)
11:49:23 <twitchyliquid64> obviously
11:49:40 <twitchyliquid64> (apologies for coming across a bit bitchy, I am on my period)
11:49:48 <lysobit> I should probably explain to you how it works later
11:49:51 <lysobit> if you're interested
11:49:51 <lysobit> np
11:49:55 <lysobit> debate is good
12:09:21 foolex has quit (Ping timeout)
12:14:56 foolex (foolex@5D6B0912.EC145393.9A74EEF1.IP) has joined #crytocc
12:15:22 x has quit (Input/output error)
12:33:31 <joepie91> twitchyliquid64: I should not that A. client cert support across browsers and platforms is poor, and B. the UI for it is even worse (and basically non-existent)
12:33:35 <joepie91> note *
12:34:24 <joepie91> also
12:34:26 <joepie91> coming to think of it
12:34:30 <joepie91> let me dig through my ideas .txt files
12:35:06 * joepie91 flips through textfiles
12:35:42 <joepie91> hmm
12:35:55 <joepie91> twitchyliquid64: I have a bunch of ideas laying around, but none of them are really related to security
12:36:17 <joepie91> the one idea that is (keypair auth on websites), lysobit is already working on
12:36:17 <joepie91> :p
12:37:52 <joepie91> most of my ideas relate to UI and documentation
12:38:02 <joepie91> and dev stuff
12:40:39 <joepie91> such as in-editor code visualiation (especially useful to dyslexic devs I suspect, but also for beginning devs and for complex projects)
12:41:05 <joepie91> a centralized documentation/reference system for devs with cheatsheets and reference lookup in a single tabbed page
12:41:30 <joepie91> proper light-weight HTML/CSS/JS UI components with graceful fallback
12:41:40 <joepie91> more complex components, I mean
12:41:55 <joepie91> and a bunch of notes on the requirements for good documentation, that I still need to turn into an article
12:42:23 <joepie91> (http://sprunge.us/YSDU)
12:42:50 <joepie91> also
12:43:01 <joepie91> s/code visualization/code flow visualization/
12:43:33 <joepie91> ie. a diagram-like sideline indicating the flow of a complex block of code with control flow statements (loops, conditionals, breaks, and so on)
13:06:47 <botpie91> 04musalbas made 1 commit(s) to 03btcalltimehigh on branch 10master: '02Change to CherryPy instead of web.py' (https://github.com/musalbas/btcalltimehigh/compare/b3578fb5c7...7ab99f5977)
13:33:02 <DrWhat> btcalltimehigh
13:33:10 <DrWhat> sounds like a badass drug
14:50:27 <joepie91> "A form is an instance of FormController. The form instance can optionally be published into the scope using the name attribute. Similarly, control is an instance of NgModelController. The control instance can similarly be published into the form instance using the name attribute. This implies that the internal state of both the form and the control is available for binding in the view using the standard binding primitives."
14:50:31 <joepie91> who writes these docs
14:50:32 <joepie91> jesus christ
14:50:44 <joepie91> have they never heard of "understandable writing"?
15:20:53 <joepie91> interesting: https://twitter.com/DefuseSec/status/408975222163795969
15:21:30 complex (litehode@complex.users.cryto) has joined #crytocc
15:23:57 <botpie91> 04musalbas made 1 commit(s) to 03btcalltimehigh on branch 10master: '02server.py finish' (https://github.com/musalbas/btcalltimehigh/compare/96373cb6ff...028953fff1)
16:14:12 RMON_MRTG has quit (Input/output error)
16:14:17 RMON_MRTG (RMON@cryto-9904015.dfri.se) has joined #crytocc
16:25:32 <orbit> Hai guys
16:27:51 <joepie91> ohai :P
16:31:20 <dorotea> am I the only one unhappy with the lack of dynamic range in pop music? e.e
16:31:38 <dorotea> I can't tell if that's a new thing or I'm just becoming crotchety
16:31:55 <Zekka> No, it's new and it's annoying
16:32:01 GHOSTnew has quit (Ping timeout)
16:32:04 <Zekka> a lot of mixing these days is super aggressive
16:32:20 <dorotea> :/
16:32:36 <dorotea> It's like the loudness wars of the 90s but they kept going
16:32:40 <dorotea> e.e
16:32:41 <joepie91> lol
16:32:52 <joepie91> what's it called again? brickwalling?
16:33:13 <dorotea> Iunno
16:33:24 <Zekka> I don't know the term, but I think that might be it
16:33:37 <dorotea> It's really obvious in this song: https://www.youtube.com/watch?v=OblL026SvD4 the girl sounds like the guitars sounds like the keyboard
16:33:54 GHOSTnew (GHOSTnew@GHOSTnew.users.cryto) has joined #crytocc
16:34:16 <dorotea> my sound engineer friend was blaming digital audio and compression
16:34:24 <dorotea> as a contributing factor lol
16:35:01 <dorotea> usually I chalk it up to him being crotchety, but then you hear the concerts he builds the sound systems for and you always listen to what he says
16:36:08 <dorotea> he was telling me, he gets these new bands that come in and want to use their own digital mixers
16:36:21 <dorotea> and they insist on it, so he lets them
16:36:36 <dorotea> and everyone can hear how tin-y it sounds
16:36:55 <dorotea> versus his old analogue mixers/amps
16:37:40 <dorotea> he had the mixboard girl from one band go "well, I bet 5db of analogue is at least as good as 5db of digital, so you wanna trade? ;)"
16:37:56 <dorotea> (turn her output down, he turns his board up)
16:41:13 Law (Law@BE832336.CF4AF07F.8A0A96D.IP) has joined #crytocc
16:43:38 Zekka has quit (Ping timeout)
16:47:37 MrPinky has quit (Client exited)
16:48:59 MrPinky (MrPinky@cryto-105978D8.chrismail.de) has joined #crytocc
16:57:37 GHOSTnew has quit (Ping timeout)
16:58:04 GHOSTnew (GHOSTnew@GHOSTnew.users.cryto) has joined #crytocc
17:31:35 Law has quit (Ping timeout)
17:35:07 zest (zest@cryto-88E4AE0C.chrismail.de) has joined #crytocc
17:37:46 dpk has quit (Ping timeout)
17:58:21 <botpie91> 04musalbas made 2 commit(s) to 03btcalltimehigh on branch 10master: '02Add config, fix interface integers', '02Add config, fix interface integers' (https://github.com/musalbas/btcalltimehigh/compare/028953fff1...3ea0dfdcbb)
18:00:39 Zekka (zekka@cryto-69BD219B.arizona.edu) has joined #crytocc
18:29:15 foolex has quit (Ping timeout)
18:36:51 foolex (foolex@5D6B0912.EC145393.9A74EEF1.IP) has joined #crytocc
18:39:39 <dorotea> ugh
18:39:45 <dorotea> the new facebook button is sexy e.e
18:57:20 tintin (tintin@tintin.users.cryto) has joined #crytocc
19:44:32 Zekka has quit (Ping timeout)
19:46:04 Cryto561 (Cryto561@cryto-8EB5BDA8.sub-70-197-14.myvzw.com) has joined #crytocc
19:46:18 Cryto561 has quit (User quit:  Page closed)
19:47:55 Pandora (Pandora__@cryto-CE7FD08D.ighost.se) has joined #crytocc
20:01:10 Zekka (zekka@cryto-C758159B.arizona.edu) has joined #crytocc
20:05:04 Mighty0wl (Mighty0wl@cryto-70D375DD.us-west-1.compute.amazonaws.com) has joined #crytocc
20:06:25 Mighty0wl has quit (User quit:  Connection closed)
20:11:54 zest has quit (User quit:  have fun :P)
20:16:45 Pandora has quit (User quit:  Leaving)
20:21:53 iceTwy (iceTwy@cryto-610769D0.fbx.proxad.net) has joined #crytocc
20:33:06 <dorotea> I don't... understand.
20:36:48 <dorotea> holy hell
20:36:57 <dorotea> 118k log lines for my webserver only goes back to sept
20:37:09 <dorotea> I think I get more traffic than google analytics lets on
20:37:45 <dorotea> hmm
20:38:01 <dorotea> the bigger question is: why does transmission ask a site for favicon.png
21:00:40 Zekka has quit (Ping timeout)
21:22:08 <botpie91> 04joepie91 made 1 commit(s) to 03Envoy on branch 10feature/client-tide: '02Fix bug when loading client in web browser' (https://github.com/KnightSwarm/Envoy/compare/b9977b84dd...fc07cd0973)
21:26:16 complex has quit (Input/output error)
21:29:14 niveus has quit (Ping timeout)
21:31:22 niveus (niveus@niveus.users.cryto) has joined #crytocc
21:48:50 <dorotea> .bitcoin
21:48:50 <botpie91> 1 BTC = $869.25, 1 BTC = €662.00
21:48:56 <dorotea> hehe, back where it should be
21:49:49 <connor> hmm gonna buy some
21:49:51 <connor> soon
21:51:59 <dorotea> yeah, see where it resettles at before you buy :)
21:52:10 <connor> yeh might go down
21:53:40 <dorotea> da
21:56:39 <dorotea> it's symbolic more than anything
21:57:58 Zekka (zekka@cryto-9E95BACD.arizona.edu) has joined #crytocc
22:25:31 Zekka has quit (Ping timeout)
23:13:21 <DrWhat> http://bitcoinwisdom.com/
23:13:23 <DrWhat> Look at the drop
23:13:30 <DrWhat> 1200 -> 800
23:13:32 <DrWhat> damn
23:13:53 <DrWhat> Its funny
23:27:20 <orbit> I was saying to some friends if we bought some when they were at like 600 - 800 it would rise then drop again a few days ago ( a week or so now ) and it did lol, wish I bought some
23:42:36 mama has quit (Ping timeout)